Certificate Authority Documentation
This page contains installation and usage instructions for hosting your very
own certificate authority on a Windows Apache server. A certificate authority
can be used to manage user authentication to some service or website in place of
- Make sure you are running Windows 98 or later.
- Install the following software packages in your root directory if you
don't already have them:
- The OpenSA web server (built on top
of Apache). Or, if you prefer, you can use Apache 1.3 installed with the mod_ssl module. All instructions on this
page will reference the OpenSA setup, however.
- Open up the C:/OpenSA/Apache/conf/httpd file. Change the ServerName
and ServerAdmin directives to your own server name and admin name. Change
HostNameLookups from 'off' to 'on'.
- The Blat
program for SMTP mailing.
- Copy the blat executable into C:/OpenSA/Apache/bin.
- Download and unzip the ca files.
- Overwrite C:/OpenSA/Apache/cgi-bin with the unzipped cgi-bin folder from
- Copy the ssl.ca-0.1 folder from ca_files into C:/OpenSA/Apache/conf.
- Overwrite C:/OpenSA/Apache/htdocs/index.html with the supplied
- In C:/OpenSA/Apache/htdocs/index.html, overwrite "your site here" with the
web address of your service.
Do the same in
- For each file in C:/OpenSA/Apache/cgi-bin, replace all instances of
'www.domain.edu' with your server's domain name.
- Follow steps 1-3 under 'Example Usage' in the
C:/OpenSA/Apache/conf/ssl.ca-0.1/README file. You can run the scripts from
Cygwin. Make sure to remember the PEM passphrase you choose when you create
the new root CA.
- Open up the C:/OpenSA/Apache/conf/ssl.ca-0.1/sign-user-certs.sh file and
replace all instances of 'password' with the PEM passphrase you chose when
creating the root CA.
- Start your server by selecting 'Programs->OpenSA web
server->Management->Start Apache with SSL' from the Start menu. If you
ever need to stop the server, you can select 'Stop server' from this same
UsageThe idea behind the certificate authority is that a user must come
to an initial site to request a certificate that is then stored in his or her
browser. Once the user has a certificate, he or she may proceed directly to your
service. The index.html file included in ca_files reflects this intended
When a new user wishes to use your site, he or she should select the option
to make a new certificate request from the home page. The user will be prompted
for a name, email, and organizational unit to be used in the certificate
generation. Once the certificate has been generated, an email is sent to the
user in order to confirm that the user actually made the request. The e-mail
contains a hyperlink that installs the new certificate in the user's browser.
Thereafter, when the user visits your site, his or her browser will present the
certificate as a means of authentication.
Note: The first time a user requests a certificate, she may be prompted by
her browser because it does not recognize your new root certificate authority.
Users should elect to trust your root CA if they wish to use your service.